DNAT and MASQUERADE
Erez D
erez0001 at gmail.com
Thu Jan 8 10:43:35 IST 2015
On Wed, Jan 7, 2015 at 11:41 AM, shimi <linux-il at shimi.net> wrote:
>
>
> On Wed, Jan 7, 2015 at 11:35 AM, shimi <linux-il at shimi.net> wrote:
>
>>
>>
>> On Wed, Jan 7, 2015 at 10:16 AM, Erez D <erez0001 at gmail.com> wrote:
>>
>>> hello.
>>>
>>> I have an iptables question
>>>
>>> i have the following
>>>
>>> ext_ip -> NAT1 -> linux firewall-> network -> computer1:eth0 ..
>>> computer99
>>>
>>> i have no control over NAT1.
>>> computer1 also can reach the internet via eth1.
>>>
>>> linux firewall redirects incoming port 7777 from ext_ip to computer1
>>> however i need coputer2 .. computer99 to connect to ext_ip:7777 and also
>>> reach computer1
>>>
>>> so first i did a NAT rule in linux firewall to redirect all packets from
>>> internal to ext_ip:7777 to computer1. and did an 'ifconfig eth0:1 $ext_ip
>>> up' on computer1.
>>> this works. however it causes computer1 not to be able to access real
>>> ext_ip via eth1 which is connected to the internet as well
>>>
>>> so i though of both doing DNAT and MASQ, which will do the same but will
>>> not require assiging ext_ip to computer1.
>>> howerver i do not know how to do that
>>>
>>>
>> If computer1 can access ext_ip:7777, all you need is to allow ip_forward
>> (/etc/sysctl.conf for permanent, and echo 1 >
>> /proc/sys/net/ipv4/ip_forward) on computer1, and have all other computers
>> have a static route to ext_ip via computer1
>>
>> Then, in computer1,
>>
>> iptables -t nat -I POSTROUTING -o <interface going towards ext_ip> [ -i
>> <interface subnet of computers come from> ] -s <subnet of
>> computers/netmask> -p tcp --dport 7777 -j MASQUERADE
>>
>> should do...
>>
>> (of course, assuming the iptables FORWARD chain is not dropping those
>> packets; otherwise you'ld need an ACCEPT rule there, too...)
>>
>> HTH,
>>
>> -- Shimi
>>
>>
> And on a second read, I think I got you wrong and the purpose was to
> access computer1 port 7777 (hopefully listening on 0.0.0.0) from computersN
> by using the external IP from the inside?
>
yes
>
> If so, did:
>
> couputerN default route is the linux firewall. without any rules on linux
firewall, it will forward packets from computer1 destined to ext_ip to
NAT1. and they will not reach computer1 att all, so rules on computer 1 are
useless.
Doing a DNAT on linux firewall will direct the packets to computer1,
however computer 1 will know comuterN and will reply directly without going
through linux firewall, and computer1 will not match the packets to the
original connection.
> iptables -I PREROUTING -i <interface of computersN subnet> -s <subnet of
> computers/netmask> -p tcp --dport -j REDIRECT --to-port 7777
>
> not work?
>
> -- Shimi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150108/38c447a2/attachment.html>
More information about the Linux-il
mailing list